Technique on mitre.org

T1574.007: Path Interception by PATH Environment Variable

Adversaries may execute their own malicious payloads by hijacking environment variables used to load libraries. The PATH environment variable contains a list of directories (User and System) that the OS searches sequentially through in search of the binary that was called from a script or the command line.

Adversaries can place a malicious program in an earlier entry in the list of directories stored in the PATH environment variable, resulting in the operating system executing the malicious binary rather than the legitimate binary when it searches sequentially through that PATH listing.

For example, on Windows if an adversary places a malicious program named "net.exe" in C:\example path, which by default precedes C:\Windows\system32\net.exe in the PATH environment variable, when "net" is executed from the command-line the C:\example path will be called instead of the system's legitimate executable at C:\Windows\system32\net.exe. Some methods of executing a program rely on the PATH environment variable to determine the locations that are searched when the path for the program is not given, such as executing programs from a Command and Scripting Interpreter.

Adversaries may also directly modify the $PATH variable specifying the directories to be searched. An adversary can modify the $PATH variable to point to a directory they have write access. When a program using the $PATH variable is called, the OS searches the specified directory and executes the malicious binary. On macOS, this can also be performed through modifying the $HOME variable. These variables can be modified using the command-line, launchctl, Unix Shell Configuration Modification, or modifying the /etc/paths.d folder contents.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

Monitoring of events related to modification of the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment\Path.

Expert Required. The technique is detected only with the combination of «PT Product + Expert»

Detection

ID	DS0022	Data source and component	File: File Creation	Description	Monitor for newly constructed files for files named after partial directories and in locations that may be searched for common processes through the environment variable, or otherwise should not be user writable. Also, monitor file creation for programs that are named after Windows system programs or programs commonly executed without a path (such as "findstr," "net," and "python"). If this activity occurs outside of known administration activity, upgrades, installations, or patches, then it may be suspicious.

ID	DS0024	Data source and component	Windows Registry: Windows Registry Key Modification	Description	Monitor for modifications of PATH environment variable Registry keys such as `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment\Path`. An adversary can add a new directory or list of directories before other locations where programs can be executed from.

ID	DS0009	Data source and component	Process: Process Creation	Description	Monitor for newly executed processes for process executable paths that are named for partial directories.

ID	Data source and component	Description
DS0022	File: File Creation	Monitor for newly constructed files for files named after partial directories and in locations that may be searched for common processes through the environment variable, or otherwise should not be user writable. Also, monitor file creation for programs that are named after Windows system programs or programs commonly executed without a path (such as "findstr," "net," and "python"). If this activity occurs outside of known administration activity, upgrades, installations, or patches, then it may be suspicious.
DS0024	Windows Registry: Windows Registry Key Modification	Monitor for modifications of PATH environment variable Registry keys such as `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment\Path`. An adversary can add a new directory or list of directories before other locations where programs can be executed from.
DS0009	Process: Process Creation	Monitor for newly executed processes for process executable paths that are named for partial directories.

Mitigation

ID	M1022	Name	Restrict File and Directory Permissions	Description	Ensure that proper permissions and directory access control are set to deny users the ability to write files to the top-level directory `C:` and system directories, such as `C:\Windows</code>, to reduce places where malicious files could be placed for execution. Require that all executables be placed in write-protected directories.`

ID	M1038	Name	Execution Prevention	Description	Adversaries will likely need to place new binaries in locations to be executed through this weakness. Identify and block potentially malicious software executed path interception by using application control tools, like Windows Defender Application Control, AppLocker, or Software Restriction Policies where appropriate.

ID	M1047	Name	Audit	Description	Find and eliminate path interception weaknesses in program configuration files, scripts, the PATH environment variable, services, and in shortcuts by surrounding PATH variables with quotation marks when functions allow for them. Be aware of the search order Windows uses for executing or loading binaries and use fully qualified paths wherever appropriate. Clean up old Windows Registry keys when software is uninstalled to avoid keys with no associated legitimate binaries. Periodically search for and correct or report path interception weaknesses on systems that may have been introduced using custom or available tools that report software using insecure path configurations.

ID	Name	Description
M1022	Restrict File and Directory Permissions	Ensure that proper permissions and directory access control are set to deny users the ability to write files to the top-level directory `C:` and system directories, such as `C:\Windows</code>, to reduce places where malicious files could be placed for execution. Require that all executables be placed in write-protected directories.`
M1038	Execution Prevention	Adversaries will likely need to place new binaries in locations to be executed through this weakness. Identify and block potentially malicious software executed path interception by using application control tools, like Windows Defender Application Control, AppLocker, or Software Restriction Policies where appropriate.
M1047	Audit	Find and eliminate path interception weaknesses in program configuration files, scripts, the PATH environment variable, services, and in shortcuts by surrounding PATH variables with quotation marks when functions allow for them. Be aware of the search order Windows uses for executing or loading binaries and use fully qualified paths wherever appropriate. Clean up old Windows Registry keys when software is uninstalled to avoid keys with no associated legitimate binaries. Periodically search for and correct or report path interception weaknesses on systems that may have been introduced using custom or available tools that report software using insecure path configurations.